diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 4ca258f..92df08d 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -208,7 +208,7 @@ enableaudit: $(BASE_CONF)
 #
 $(APPDIR)/customizable_types: $(BASE_CONF)
 	@mkdir -p $(APPDIR)
-	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
 	$(verbose) install -m 644 $(TMPDIR)/customizable_types $@ 
 
 ########################################
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
index c6df7b6..89b2d1d 100644
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -230,7 +230,7 @@ $(BUILDDIR)longcheck.res: $(POLICY_CONF) $(FC)
 #
 $(APPDIR)/customizable_types: $(POLICY_CONF)
 	@mkdir -p $(APPDIR)
-	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
 	$(verbose) install -m 644 $(TMPDIR)/customizable_types $@ 
 
 ########################################
diff --git a/refpolicy/policy/modules/services/cups.fc b/refpolicy/policy/modules/services/cups.fc
index 4fcfb99..c744fe9 100644
--- a/refpolicy/policy/modules/services/cups.fc
+++ b/refpolicy/policy/modules/services/cups.fc
@@ -35,7 +35,8 @@
 /usr/share/hplip/hpssd.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
 
 /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)? --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? 		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
 /var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index cc87327..eb8bdee 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -126,6 +126,7 @@ miscfiles_read_public_files(ftpd_t)
 seutil_dontaudit_search_config(ftpd_t)
 
 sysnet_read_config(ftpd_t)
+sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index bb7a992..a81220b 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -315,6 +315,7 @@ files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
 
 kernel_read_kernel_sysctls(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
+kernel_dontaudit_read_system_state(postfix_map_t)
 
 corenet_tcp_sendrecv_all_if(postfix_map_t)
 corenet_udp_sendrecv_all_if(postfix_map_t)
@@ -358,8 +359,7 @@ seutil_read_config(postfix_map_t)
 sysnet_read_config(postfix_map_t)
 
 ifdef(`targeted_policy',`
-	# FIXME: would be better to use a run interface
-	role system_r types postfix_map_t;
+	term_dontaudit_use_generic_ptys(postfix_map_t)
 ')
 
 tunable_policy(`read_default_t',`
diff --git a/refpolicy/policy/modules/services/postgresql.if b/refpolicy/policy/modules/services/postgresql.if
index e030d16..818ba7c 100644
--- a/refpolicy/policy/modules/services/postgresql.if
+++ b/refpolicy/policy/modules/services/postgresql.if
@@ -113,10 +113,12 @@ interface(`postgresql_tcp_connect',`
 #
 interface(`postgresql_stream_connect',`
 	gen_require(`
-		type postgresql_t, postgresql_var_run_t;
+		type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
 	')
 
 	files_search_pids($1)
 	allow $1 postgresql_t:unix_stream_socket connectto;
 	allow $1 postgresql_var_run_t:sock_file write;
+        # Some versions of postgresql put the sock file in /tmp
+	allow $1 postgresql_tmp_t:sock_file write;
 ')
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index 0be0cd7..efff376 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -50,6 +50,7 @@ corenet_tcp_sendrecv_all_ports(privoxy_t)
 corenet_non_ipsec_sendrecv(privoxy_t)
 corenet_tcp_bind_http_cache_port(privoxy_t)
 corenet_tcp_connect_http_port(privoxy_t)
+corenet_tcp_connect_http_cache_port(privoxy_t)
 corenet_tcp_connect_ftp_port(privoxy_t)
 corenet_tcp_connect_tor_port(privoxy_t)
 
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 306e2ae..0339015 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -160,6 +160,7 @@ optional_policy(`
 	corenet_non_ipsec_sendrecv(samba_net_t)
 	corenet_tcp_bind_all_nodes(samba_net_t)
 	sysnet_read_config(samba_net_t)
+        corenet_tcp_connect_ldap_port(samba_net_t)
 ')
 
 optional_policy(`
@@ -269,6 +270,7 @@ files_list_mnt(smbd_t)
 
 init_use_fds(smbd_t)
 init_use_script_ptys(smbd_t)
+init_rw_utmp(smbd_t)
 
 libs_use_ld_so(smbd_t)
 libs_use_shared_libs(smbd_t)
diff --git a/refpolicy/policy/modules/services/spamassassin.fc b/refpolicy/policy/modules/services/spamassassin.fc
index 37093c0..260950c 100644
--- a/refpolicy/policy/modules/services/spamassassin.fc
+++ b/refpolicy/policy/modules/services/spamassassin.fc
@@ -1,5 +1,5 @@
 
-/usr/bin/sa-learn	--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamc		--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
 
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index ecbf208..9a72969 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -173,9 +173,13 @@ dev_getattr_video_dev(pam_console_t)
 dev_setattr_video_dev(pam_console_t)
 dev_getattr_xserver_misc_dev(pam_console_t)
 dev_setattr_xserver_misc_dev(pam_console_t)
+dev_read_urand(pam_console_t)
 
 fs_search_auto_mountpoints(pam_console_t)
 
+mls_file_read_up(pam_console_t)
+mls_file_write_down(pam_console_t)
+
 storage_getattr_fixed_disk_dev(pam_console_t)
 storage_setattr_fixed_disk_dev(pam_console_t)
 storage_getattr_removable_dev(pam_console_t)
@@ -206,8 +210,8 @@ libs_use_shared_libs(pam_console_t)
 
 logging_send_syslog_msg(pam_console_t)
 
-mls_file_read_up(pam_console_t)
-mls_file_write_down(pam_console_t)
+miscfiles_read_localization(pam_console_t)
+miscfiles_read_certs(pam_console_t)
 
 seutil_read_file_contexts(pam_console_t)
 
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 02370c7..b65ef96 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -83,12 +83,14 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*             --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/(local/)?lib(64)?/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 
+/usr/NX/lib/libXcomp.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libjpeg.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
 /usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
@@ -189,6 +191,8 @@ HOME_DIR/.*/plugins/libflashplayer\.so.* --	gen_context(system_u:object_r:textre
 
 # vmware 
 /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.*  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/HConfig.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
 /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index ce71126..99cc380 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -113,3 +113,29 @@ interface(`mount_send_nfs_client_request',`
 	allow $1 mount_t:udp_socket rw_socket_perms;
 ')
 
+########################################
+## <summary>
+##	Execute mount in the unconfined mount domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_domtrans_unconfined',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type unconfined_mount_t, mount_exec_t;
+		')
+
+		domain_auto_trans($1,mount_exec_t,unconfined_mount_t)
+
+		allow $1 unconfined_mount_t:fd use;
+		allow unconfined_mount_t $1:fd use;
+		allow unconfined_mount_t $1:fifo_file rw_file_perms;
+		allow unconfined_mount_t $1:process sigchld;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index ba89ae1..acf6d73 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -14,6 +14,12 @@ role system_r types mount_t;
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
 
+ifdef(`targeted_policy',`
+	type unconfined_mount_t;
+	domain_type(unconfined_mount_t)
+	domain_entry_file(unconfined_mount_t,mount_exec_t)
+')
+
 ########################################
 #
 # mount local policy
@@ -151,3 +157,13 @@ optional_policy(`
 optional_policy(`
 	samba_domtrans_smbmount(mount_t)
 ')
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+ifdef(`targeted_policy',`
+	files_manage_etc_runtime_files(unconfined_mount_t)
+	unconfined_domain(unconfined_mount_t)
+')
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 17e2fdb..a28a26c 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -36,7 +36,10 @@ ifdef(`targeted_policy',`
 
 	logging_domtrans_auditctl(unconfined_t)
 
+	mount_domtrans_unconfined(unconfined_t)
+
 	seutil_domtrans_restorecon(unconfined_t)
+	seutil_domtrans_semanage(unconfined_t)
 
 	userdom_unconfined(unconfined_t)
 	userdom_priveleged_home_dir_manager(unconfined_t)
@@ -140,10 +143,6 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`
-		seutil_domtrans_semanage(unconfined_t)
-	')
-
-	optional_policy(`
 		sysnet_domtrans_dhcpc(unconfined_t)
 	')